[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn Farm

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Fri, 8 Oct 2010 08:09:18 -0400

On Fri, Oct 8, 2010 at 4:10 AM, jehan procaccia
<jehan.procaccia_at_it-sudparis.eu> wrote:
>  Le 08/10/2010 02:19, Nico Kadel-Garcia a écrit :
>>
>> On Thu, Oct 7, 2010 at 12:18 PM, jehan procaccia
>> <jehan.procaccia_at_it-sudparis.eu>  wrote:
>>>
>>>  Le 06/10/2010 17:06, Siva Kumar a écrit :
>>>>>
>>>>> I need to provide svn service to many small groups of students.
>>>>> I'am looking for a tool that would help industrialize managment of
>>>>> repositories.
>>>>> I don't want to issue hundreds of "svn create", "vi authz" , edit ssh
>>>>> keys
>>>>> for svn+ssh access etc ...
>>>>> Are there such  tools already existing  ?
>>>>
>>>> Subversion Edge(http://www.open.collab.net/go/csvne2_r2a/) might fit
>>>> your
>>>> bill.
>>>
>>> good point !
>>> I've installed and run it, looks good.
>>> but now I need to find a way to link my ldap users to svn roles/authz , I
>>> still can't find how to do that wihout creating csvn local accounts for
>>> all
>>> my users :-( ... !?
>>
>> Unless you can guarantee that they will not use Linux or UNIX based
>> clients, don't even consider this. The problem is that the Linux and
>> UNIX clients, by default, continue to store passwords in clear text.
>> They whinge about it now before storing it, but it's still an issue.
>>
>> Is there any reason you use 'svn' access, rather than HTTPS? The
>> mod_dav_svn module works well, even though I detest the clear text
>> password problem.
>
> I need my users to be able to work with svn repos both from unix shell
> command "svn" or through GUI clients (web browser, eclipse, tortoise ...)
> For web (http) acces, it looks good now, indeed if I set ldap users login
> name in the global authZ (file edit from the admin collabnet
> .../editAuthorization) it works fine .

That's great if that's what you need. There is no way, though, to
prevent your UNIX/Linux command line clients from storing their
passwords in cleartext. This isn't a server problem. It's a command
line client problem.

> Now, is collabnet solution able to serve tradition unix shell comand line
> clients ? is there a svnserve server behind it or is apache able to serve
> those clients using svn protocol too ?

Subversion over HTTP is handled with the "WebDAV" protocol. I'm sure
that svnserve protocl, run from the CollabNet packate, is using the
svnserve package built into the Subversion source code. (Maybe with a
few tweaks.) I've not personally taken it apart, so I don't know
whether it uses its own webserver or plugs modules into Apache to run
the commonly used https access.

Also note: both the 'svn' and 'http' access send the passwords ovder
the network in clear text. There are ways around this (such as SSH or
SSL tunneling), but they're pesky to set up. Fortunately, "https"
already has that built in. And svn+ssh not only has the tunneling, it
correctly forces the clients to use SSH keys, instead of passwords
that might be stored unlocked by the UNIX or Linux clients.

>> There remains no good GUI or published toolkit for svn+ssh access
>> configuration. This is one of Subversion's profound deficits, combined
>> with the password issues with the Linux/UNIX clients.  Various
>> companies and groups have internal kits, including Sourceforge, but
>> I've never seen their tools published.
>
> Too bad indeed that there is no toolkit for svn+ssh :-(

I agree. If anyone finds or writes one, I'd love to see it. I'm not
good at writing gui's from scratch, or I'd try to port one of the git
toolkits over to Subversion for just this purpose.

> Can I start aside collabnet (great and easy HTTP interface) a svnserve
> serving the same repostories ?

I've not tried it. You, or it, will have to be careful to set
ownership of the repository to grant access to both the "apache" user
for a normal webserver, if it's using the built-in Apache, or tun the
Apache daemon and the svn daemon as the same user to assure consistent
and controlled write access to the repository.

> If my unix collabnet server does know and authenticate my ldap users (with
> pam_ldap, nss etc ...)
> wouldn't they be able to connect to svnserve with their ldap password !?

svnserve !=- Apache. They're serving different protocols, with
different daemons. I've not personally tried to hook svnserve to
LDAP/Kerberos. (Most LDAP setups use Kerberos for managing the
passwords: LDAP stores the user information.) I'd review the options
in the svnserve configuration settings for a normal repository: I'd be
really surprised if CollabNet's version differs a lot from the normal
subversion svnserve daemon: it's the management tool, and the support,
you'd get and pay for from CollabNet. (This can be well worth paying
for!!!)

I've not taken apart the CollabNet packages: I assume they're good
interfaces, CollabNet is a generally competent company and I've gotten
good recommendations for it, especially to get commercial support for
more recent releases on operating systems like RHEL where the vendor's
published subversion is so "stable" it's dangerously obsolete. (They
used to host the public wiki's and websites for it, a very good
example of how to handle open source projects.)
Received on 2010-10-08 14:09:55 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.